PlainID Identity Security Posture Management Blog

How PlainID Solves the OPA Manageability Gap

Written by Gal Helemski | Feb 2, 2021 12:21:44 PM

Editor's Note - We hosted a webinar on PlainID's OPA integration. Watch it on-demand, here. https://www.brighttalk.com/webcast/18611/471827

Open Policy Agent, or OPA, is an open source solution that lets you take a policy-as-code approach to enforcing access controls across your technology stack.

In order to work well at scale, however, OPA policies need to be managed efficiently. Without a systematic process for deploying and monitoring OPA policies, teams run the risk of errors or delays that can undercut the benefits that OPA stands to deliver.

Fortunately, there’s a solution to OPA management challenges: PlainID. In this article, we take a look at why OPA management is important and how to streamline it using PlainID Policy Manager.

The Advantages of OPA

OPA has generated more than a little buzz since the Cloud Native Computing Foundation (CNCF) accepted it as an incubating project in 2019.

OPA owes its popularity not just to the fact that it’s open source, but also that its a general purpose policy engine that provides a way to decouple enforcement and decision.

With OPA, you can write policy files that define how a variety of resources -- from cloud access controls, to SSH and sudo privileges, to data management rules and beyond -- are configured and enforced. By allowing teams to use a declarative language and enforcement engine for policies, work that is otherwise embedded in code is offloaded from the code, and possibly even from the developer.

PlainID Policy Manager 

PlainID Policy Manager streamlines the management of policies across environments.

PlainID offers a centralized and secure hub for monitoring and analyzing all of the policies that teams use to drive their workflows. Whether the policies are configured via OPA or using a different framework, PlainID ensures that they can be managed from a central location. PlainID also provides a deep analytics engine that allows users to understand what their policies do and which resources they expose to which users.

In addition, because PlainID maintains industry-leading standards for security and compliance, it is able to manage policies in a way that protects against unauthorized access and adheres to the regulatory rules that may impact PlainID users.

PlainID for OPA

Technically, you don’t need additional tools to use OPA. You can manage OPA policies by hand.  Unless you are working with just a handful of policies, however, that approach quickly becomes infeasible. 

PlainID Policy Manager offers an enterprise grade solution for managing policies across apps and platforms, that includes support of OPA.

Centralized management, distributed deployment

With PlainID, you can manage and analyze all of your policies from a central administration UI. At the same time, however, you can deploy them in a distributed way that fits your environment.

In other words, PlainID provides the best of both worlds: A central location for policy management combined with a flexible deployment model that works with whichever type of architecture you are using, and whichever services you are configuring via OPA.

Catch issues early

Because PlainID allows you to analyze and audit your policies, it makes it easy to find problems before deployment. That way, you can fix issues before your configurations go live.

This approach -- which aligns with the “shift left” thinking that is prevalent in DevOps circles -- is much more efficient than having to roll back a policy you’ve already deployed, which places you at risk of disrupting a live resource.

Graphical policy authoring

Writing dozens or hundreds of policy files by hand in a code editor is a tedious task. With PlainID, you can take advantage of graphical policy authoring, which makes the process faster, simpler and more intuitive. What’s more, PlainID can generate some policy content for you automatically, which reduces tedium even more.

Support for external resources

OPA is designed to manage resources that live directly inside your environment, not external resources such as third-party APIs or services. Thus, with OPA, supporting external resources is a pain.

PlainID solves this issue by allowing users to construct policies based not just on internal resources but also on external data feeds. This is another way in which PlainID centralizes all aspects of policy management while simultaneously supporting a distributed architecture.

Conclusion

OPA is great, and it’s on track to enjoy massive adoption over the coming years. What many teams will realize when they deploy OPA, however, is that they lack the management features necessary to deploy and control OPA policies efficiently at scale. 

PlainID provides a solution that enables the enterprise to adopt OPA in the way they are accustomed to.  Providing an end-to-end solution for creating, deploying and managing the life cycles of policies as code, no matter which types of resources they are supporting or how their systems are designed.